Bug 214616

Summary: kdm allows logins even if shell is set to /sbin/nologin
Product: [Unmaintained] kdm Reporter: Caleb Cushing <xenoterracide>
Component: generalAssignee: kdm bugs tracker <kdm-bugs-null>
Status: RESOLVED NOT A BUG    
Severity: normal    
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Arch Linux   
OS: Unspecified   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Caleb Cushing 2009-11-15 08:06:04 UTC
Version:            (using KDE 4.3.3)
Installed from:    Archlinux Packages

I have a user account on the system that I wish to disable I tried setting the shell to both /sbin/nologin and /bin/false neither are effective at disabling the user from logging in with kdm. I believe this is a security hole (esp nologin) since most unix admins will do this to disable accounts.
Comment 1 Caleb Cushing 2009-11-15 08:17:08 UTC
the only way I've found to lock the account is to lock the passwd sudo passwd -l username event setting the expire date to 1 doesn't work.

      -l, --lock
           Lock the password of the named account. This option disables a
           password by changing it to a value which matches no possible
           encrypted value (it adds a '!' at the beginning of the password).

           Note that this does not disable the account. The user may still be
           able to login using another authentication token (e.g. an SSH key).
           To disable the account, administrators should use usermod
           --expiredate 1 (this set the account's expire date to Jan 2, 1970).

           Users with a locked password are not allowed to change their
           password.
Comment 2 Oswald Buddenhagen 2009-11-15 09:54:10 UTC
you didn't add the pam_nologin module to the kde pam stack.
Comment 3 Oswald Buddenhagen 2009-11-15 10:09:03 UTC
bah, sorry, i misread. you want pam_shells, of course.

i have no idea why --expiredate 1 doesn't work - it might be a bug in pam_unix (or whatever else main authentication module you're using). i know that passwd -e works, and as it is the same from kdm's pov, i can safely deny any responsibility.
Comment 4 Caleb Cushing 2009-11-15 19:54:57 UTC
#%PAM-1.0
auth        required    pam_unix.so
auth        required    pam_nologin.so
account     required    pam_unix.so
password    required    pam_unix.so
session     required    pam_unix.so
session     required    pam_limits.so

not knowing exactly how it works... what if I was bypassing passwords with kdm using autologin?
Comment 5 Oswald Buddenhagen 2009-11-15 20:09:56 UTC
autologin uses a separate service definition, but other than that it behaves just normally, i.e. it will do exactly what you told it to.
read the pam admin guide for details.
Comment 6 Caleb Cushing 2009-11-17 01:03:39 UTC
does kde provide pam configuration files for kdm? or is that a distribution thing? if it's a distribution thing why doesn't kde do it?
Comment 7 Oswald Buddenhagen 2009-11-17 08:39:18 UTC
if no kde pam service definitions are to be found yet, make install (run as root) will try to derive appropriate ones from existing ones. if that fails, too bad. it is a distribution and admin thing, after all.